Real-time information security incident management : a case study using the IS-CHEC technique

White Rose Research Online URL for this paper:

http://eprints.whiterose.ac.uk/151672/

Version: Published Version

Article:

Evans, M., He, Y., Luo, C. et al. (4 more authors) (2019) Real-time information security

incident management : a case study using the IS-CHEC technique. IEEE Access, 7. pp.

142147-142175.

https://doi.org/10.1109/access.2019.2944615

[email protected] https://eprints.whiterose.ac.uk/ Reuse

This article is distributed under the terms of the Creative Commons Attribution (CC BY) licence. This licence allows you to distribute, remix, tweak, and build upon the work, even commercially, as long as you credit the authors for the original work. More information and the full terms of the licence here:

https://creativecommons.org/licenses/

Takedown

If you consider content in White Rose Research Online to be in breach of UK law, please notify us by

Real-Time Information Security Incident

Management: A Case Study Using

the IS-CHEC Technique

MARK EVANS 1_{, YING HE} 1_{, CUNJIN LUO} 2,3_{, IRYNA YEVSEYEVA}1_{, HELGE JANICKE} 1_,

EFPRAXIA ZAMANI4_{, AND LEANDROS A. MAGLARAS} 1

1_{Cyber Technology Institute, De Montfort University, Leicester LE1 9BH, U.K.}

2_{Key Laboratory of Medical Electrophysiology, Ministry of Education, Institute of Cardiovascular Research,}

Southwest Medical University, Luzhou 646000, China

3_{School of Computer Science and Engineering, Northeastern University, Shenyang 110819, China} 4_{Information School, University of Sheffield, Sheffield S10 2TN, U.K.}

Corresponding authors: Ying He ([email protected]) and Cunjin Luo ([email protected])

The work of C. Luo was supported by the National Natural Science Foundation of China (NSFC) under Grant 61803318.

ABSTRACT _{Information security recognised the human as the weakest link. Despite numerous}

interna-tional or sector-specific standards and frameworks, the information security community has not yet adopted formal mechanisms to manage human errors that cause information security breaches. Such techniques have been however established within the safety field where human reliability analysis (HRA) techniques are widely applied. In previous work we developed Information Security Core Human Error Causes (IS-CHEC) to fill this gap. This case study presents empirical research that uses IS-CHEC over a 12 month period within two participating public and private sector organisations in order to observe and understand how the implementation of the IS-CHEC information security HRA technique affected the respective organisations. The application of the IS-CHEC technique enabled the proportions of human error related information security incidents to be understood as well as the underlying causes of these incidents. The study captured the details of the incidents in terms of the most common underlying causes, selection of remedial and preventative measures, volumes of reported information security incidents, proportions of human error, common tasks undertaken at the time the incident occurred, as well as the perceptions of key individuals within the participating organisations through semi-structured interviews. The study confirmed in both cases that the vast majority of reported information security incidents relate to human error, and although the volumes of human error related incidents pertaining to both participating organisations fluctuated over the 12 month period, the proportions of human error remained consistently as the majority root cause.

INDEX TERMS _{Human error assessment and reduction technique (HEART), human error related}

information security incidents, human reliability analysis (HRA), information security, information security core human error causes (IS-CHEC).

I. INTRODUCTION

The field of information security has developed numerous standards and frameworks governing how information should be processed by organisations. These standards include the ISO27000 series [1], Payment Card Industry Data Security Standard [2] and also sector specific policies and standards such as the Data Security and Protection Toolkit [3] applied to the National Health Service in Britain. Despite numerous

The associate editor coordinating the review of this manuscript and

approving it for publication was Junaid Arshad .

international and sector-specific standards and frameworks, the information security community has not adopted a formal mechanism to deal with human errors, such as the application of human reliability analysis (HRA) techniques [4], [5] which are widely used in high reliability sectors [6].

changes to common organisation practices to address these issues. People are susceptible to slips and lapses [10], which can affect the accuracy of tasks and often result in information security incidents. Yet despite this well understood limitation of workers, we identified that there is a comparative lack of prevention techniques and literature related to unintentional human error in information security assurance when com-pared to technology vulnerability or malicious intent includ-ing insider threat as outlined later in this paper.

As part of our broader research into information secu-rity related human error, we have undertaken and published related research which proactively applies the IS-CHEC tech-nique [11]. This research uses a questionnaire delivered to operational employees [11] rather than information security professionals acting reactively to reported incidents. The proactive use of IS-CHEC was applied within the same pri-vate sector organisation as applied within this article and provides an employee’s perspective on human error and sug-gested controls to enable risk quantification across the organ-isation to be performed.

The focus on the detection and prevention of human error in an information security setting is less established com-pared to high reliability sectors, such as NASA [12] where numerous HRA techniques have been evaluated and applied. It has also been established and published that with regard to human error related incidents, the human is not actually the cause of an incident but in fact the consequence of wider organisational failings [13].

This paper evaluates the application of the Information Security Core Human Error Causes (IS-CHEC) technique [8] applied to information security incident management over a 12 month period of time within participating public sector and private sector organisations simultaneously. The IS-CHEC technique is an adaptation of the Human Error Assessment and Reduction Technique (HEART) which has been in use for 30 years within industries such as rail, aviation, nuclear and healthcare to address the human error issue [14]. The HEART HRA technique was selected as the most applicable to an information security setting due to its accuracy, compatibility, needed resources, output and comprehensiveness [9]. The IS-CHEC technique was embedded within the information security incident management practices, as a component of our wider empirical action research to establish the root cause of reported incidents and, where the root cause is identified as being unintentional human error, to delve deeper into the underlying causes, and finally, to apply a framework of remedial and preventative measures to resolve the incident and prevent a re-occurrence.

The principal motivation and research hypothesis behind this work was to establish if the IS-CHEC information secu-rity HRA technique could have a positive or negative effect on information security within public and private sector organi-sations. If present, this positive effect would primarily mate-rialise through a greater understanding of the proportions and underlying causes of information security related human error. The research establishes the most common causes of

information security human error related incidents within the public and private sector organisations, as well as providing valuable actionable insights into information security aspects. An additional motivation is the potential to reduce human error and, therefore, a decline in the volumes of reported information security incidents.

This paper makes the following contributions:

• Conducts real-time longitudinal empirical research

simultaneously within public and private sector organ-isations using the IS-CHEC technique for the first time within published literature.

• Presents the volumes and proportions of human error

related information security incidents, plus the associ-ation between the proportions of human error related incidents and the overall volume of information secu-rity incidents, over the course of a 12 month period of empirical research within public and private sector organisations.

• Captures and presents the underlying themes pertaining

to tasks performed at the time of the incidents, underly-ing causes and effectiveness of remedial and preventa-tive measures.

These contributions will benefit academia through the pub-lication of much needed empirical research into the effects of human error within the field of information security. Moreover, the contributions will not only positively bene-fit industry and wider society initially through the partici-pating organisations delivering healthcare services, but will also subsequently provide an information security human reliability technique that can be applied across multiple sectors.

This paper presents the findings of a 12 month empirical case study of the effectiveness of the IS-CHEC information security HRA technique. The case study comprised of a real-time analysis exercise within participating public and private sector organisations following on from our previous retrospective analysis case studies [9]. The research enables further accuracy and evolution of the IS-CHEC technique from previous studies due to the timely nature of investiga-tions. This paper presents a comprehensive and detailed out-put in relation to information security incident management, specifically focusing on the incidents that relate to human error. Therefore, this paper presents an established and tested information security HRA which is applicable to be adopted by a wider range of areas of information security to address the current gap in knowledge and practice.

captures the research conclusions and presents future work on this topic.

II. RELATED WORK

A literature search was performed on 26/01/2019 using the SCOPUS abstract and citation database for any article published in 2019 using the search criteria of ‘Information Security’ or ‘Cyber Security’. The search returned 324 articles. We reviewed the abstract for each of these documents, and the full article where further understanding was required, whereupon we established that 67 articles were not information security related. From the remaining 257 articles it was found that 6 related to unintentional human error which equates to 2%. Of these 6 articles only 1 was primarily focussed on the topic of human error within the field of information security which equates to 0.4%.

The human is recognised as being the weakest link in organisational information security controls [15]–[20], which has resulted in publications focussing on human factors rather than technical aspects [16]. This is due to humans not behaving securely when using systems [18] which makes them a significant information security threat facing organ-isations [16]. However, with appropriate controls applied, the human can transform from the weakest link to the strongest link [19].

Previous research [9] defines a human error related infor-mation security incident as an ‘active failure’ by a person (the threat) performing an ‘intentional action’ resulting in the failure to complete a task as intended or achieve the desired outcome due to the exploitation of a ‘latent condition’ (the vulnerability). This can lead to a compromise or breach of information confidentiality, integrity or availability or asso-ciated law through the failure of technical or organisational safeguards, and can cause disruption to business opera-tions or causing harm or distress to individuals including breaches of privacy.

Stewart and Jurjens [21] presented in their research an empirical study which had found that 65% of data breaches were due to loss of paper files and human carelessness. Alaviet al.[22] presented similar findings, in which 64% of security incidents are directly related to human error. Further research presented by Asai and Hakizabera [23] suggests that 80% of information security breaches are caused by human error.

The Cyber Security Breaches Survey [24] states that human error is amongst the most common factors contribut-ing to the most disruptive breaches, indicatcontribut-ing that human error is not only exposing organisations to the majority of incidents, but also that those are the most impacting. Veiga and Martins [25] refer to surveys and research con-ducted by PriceWaterHouse and Ponemon Institute that established that 58% and 35% respectively of information security incidents and breaches were attributable to human factors, although they do not differentiate between intentional violations and unintentional human error. To add to this, Hwanget al.[26] refer to external reports, which presented

that 14% of information exposures originated from organisa-tional insiders.

The human factor is one of the most vulnerable aspects of cyber security incidents [27], and as set out in literature, the human factor is a most important component of infor-mation security, perhaps more important than the technical measures [28]. Human activity is the most critical factor in the management of information security [21] with experts growingly arguing that the main cause of information secu-rity incidents mainly lies with employees’ behavioural fac-tors rather than technical issues [29]. It was presented by Rajamäkiet al.[30] that employee negligence was a greater concern to healthcare organisations than cyber-attack.

There also appears within information security literature generally that there is a much greater focus on the human factors being as a result of intentional action or attacks [31] rather than unintentional human error, such as the 2017 Data Breach Investigations Report [32].

Organisations should develop strategies to reduce informa-tion security threats by employees [26] including focussing on employees’ behaviour [17]. Health Information Systems require rigorous evaluation that addresses human issues in addition to technology and organisational issues [33], which should lead to cultural change [34] and the implementation of system designs, which will display warning messages when user mistakes are made and prevent them from completing a task [35].

In addition to proactive and strategic planning, retrospec-tive analysis of incidents is important and can include root cause analysis, which is oriented to the identification of data associated with a specific occurrence [36]. Information security management remains relatively weak in conducting root cause analysis of minor incidents [37]. HRA can be used to both support retrospective and predictive analysis, but when applied to new fields this will have to be empirically derived [38].

III. RESEARCH METHOD

This research is based upon empirical research within partic-ipating organisations to drive information security improve-ments and forms part of a wider programme of action research study.

Action research is concerned with exploring and chal-lenging real life situations within organisational settings in order to solve problems through intervention [39]. It also generates new knowledge which is useful for both research and practice [40]. The research is based upon practical appli-cation to offer a solution to the problem of current infor-mation security incidents occurring as a result of human error.

A. RESEARCH SITES

The case study benefitted from two participating organisa-tions. One organisation was a public sector body and the other was a private sector organisation. Both organisations provide healthcare services to the British National Health Service (NHS) and, therefore, provide a reflective sample covering public and private sector organisations. They also provide insight into healthcare providers, which suffer from a large proportion of information security incidents and breaches related to human error [7].

The public sector organisation has approximately 2,000 employees and provides a range of services. Its incident man-agement practices are required to support compliance with legislation and government guidance. Information security is governed centrally by the Head of Security and Informa-tion Assurance and their small team, who are responsible for the development of organisational strategy and policy as well as oversight and engagement in all reported inci-dents. Designated individuals, usually managers, within each business area have responsibility for information security application in addition to their primary role. These Business area representatives are not dedicated information security professionals, but attend formal governance sessions with the information security team on a bi-monthly basis. The organisation has an information security policy as well as an information security incident policy and procedures in place, which are communicated to all employees as part of annual awareness requirements. Compliance in terms of awareness are continuously monitored and acted upon.

The private sector organisation is a large service provider operating in the United Kingdom. It has approximately 1,100 employees and provides a range of services to the NHS. Its incident management practices are required to sup-port compliance with international security standards, such as the ISO27001 Standard, Cyber Essentials as well as the NHS Information Governance Toolkit. Information security is governed centrally by the Senior Information Risk Owner and associated team, who are responsible for the development of organisational strategy and policy. In addition, designated information security leads have responsibility for every busi-ness area to ensure full coverage and adherence.

B. DATA COLLECTION AND ANALYSIS

We used semi-structured interviews and document reviews as data capture techniques and instruments over a 12 month period with both participating organisations simultaneously as they applied the IS-CHEC technique. The research began with the establishment of a researcher-client agreement [39], which included ensuring a common understanding of the research background, problem and intended solution. The agreement also formalised objectives and clear responsibili-ties for the participating organisation and researcher. Finally, the agreement set out the duration of the research which was agreed to be a minimum of 6 months, with the option for the participating organisation to extend to 12 months. Both organisations elected after 6 months to extend the research

to cover the full 12 month period. The research adhered to De Montfort University (DMU) ethical standards and guide-lines, and has been approved by the DMU ethics committee (ref: 1516/325).

The research required the organisations to review their respective incident management documentation and systems to fully incorporate the IS-CHEC technique prior to begin-ning the case study. Once the research had begun, a formal monthly incident management meeting, which was already in operation within both organisations, was expanded to include a comprehensive IS-CHEC report as a standard agenda item. The report was initially compiled and presented by the researcher using a monthly incident register extract supplied by the organisations each month. The organisations took responsibility for report compilation and presentation from month 10 upon mutual agreement. The report template can be seen in the Appendices.

At the end of the research, semi-structured interviews were undertaken with key individuals responsible for information security and incident management as well as senior manage-ment within both organisations. The interviews were face to face, scheduled for one hour and digitally recorded. The inter-views were subsequently transcribed, data coded and themat-ically analysed using NVivo version 11 software. Within both organisations it was important to interview personnel respon-sible for using IS-CHEC, but also senior managers in both organisations to gather their views and opinions. Therefore, within the public sector organisation we interviewed the Head of Security and Information Assurance (HoS&IA), Head of Internal Governance, who was also the Deputy Senior Infor-mation Risk Owner (Deputy SIRO) and InforInfor-mation Security Manager (ISM). The ISM was responsible for the implemen-tation of IS-CHEC. Within the private sector organisation, we interviewed the Chief Operating Officer (COO), Senior Information Risk Owner (SIRO), Information Security Man-ager (ISM) and Information Security Incident Analyst. The ISM and Information Security Incident Analyst were respon-sible for the implementation of IS-CHEC. The interviewees were asked to read and sign an informed consent form and asked to describe their role in the organisation, their responsi-bilities and the tasks or activities they are involved in and how this integrates with wider organisational information security. The interviewees were then asked the seven questions listed below in order to capture contextual qualitative information to ascertain their respective perceived applicability and effects of IS-CHEC on their role and organisation, any new learning, any overall thoughts on the study and finally their understand-ing of the underlyunderstand-ing causes of information security related human error which would support the principal motivation behind the study.

• Could you explain your understanding of the IS-CHEC

technique, the engagement you have had with the tech-nique and what impact this has had on your role? • _{Do you feel that the IS-CHEC technique, and its}

Please expand upon your response with as much detail as possible.

• Tell me about the positive effects, if any, that IS-CHEC

has had on the organisation? Please expand upon your response and provide positive examples if there are any. • Throughout the course of the IS-CHEC information

security incident project, what would you say have been the greatest challenges? Please expand upon your response with examples if possible.

• Through the use of IS-CHEC have you learned anything

new about your organisation and its people in terms of behaviours relating to information security? Please expand on your response.

• On reflection, would you suggest any changes to the

organisation, approach taken, or the IS-CHEC tech-nique? Please provide the rationale behind your sug-gested changes.

• Do you have any other opinions or feelings about the

IS-CHEC information security incident project that you would like to share?

To establish if there was a linear relationship between the proportions of human error related information security dents and the overall volume of information security inci-dents, we applied Pearson’s Correlation Coefficient using the formula presented below. The variable ‘x’ relates to the total number of incidents and ‘y’ relates to the number of human error-related incidents. We then compared the results attained for both organisations. The output is known as the r coefficient.

r = n P i=1

((xi− ¯x)(yi− ¯y))

s n P i=1

(xi− ¯x)2 n P i=1

(yi− ¯y)2

(1)

The output from this formula is in the form of statistical ranges from +_{1 through 0 to} −_{1. A result of} +_{1 would}

identify a perfect positive correlation, 0 would identify that there was no correlation and −_{1 would identify a perfect}

negative correlation. As set out by Taylor [41], a result of <=0.35 would be interpreted as a weak correlation, 0.36 – 0.67 would be interpreted as a modest correlation and 0.68 – 1.0 would be interpreted as a strong correlation.

In order to ensure research rigor in terms of validity and reliability, a number of mechanisms were embedded through-out the duration of the research. These methods aligned to the four criteria for research validity and reliability, [42]–[44] comprising of construct validity, internal validity, external validity and reliability. This was primarily achieved through the application of semi-structured interviews, routine formal governance within each participating organisation including a review of all incidents and the monthly IS-CHEC report, agreement and application of clear research objectives as part of the signed researcher-client agreement and also the strict application of the IS-CHEC technique to provide demon-strable cause and effect data related to human error related

information security incidents. Our findings were constantly interpreted and reviewed in light of existing literature and in consultation with the two participating public and private sector organisations, to ensure that they are consistent and that they accurately reflect the actual events. In addition, the research was undertaken and compared within the two participating organisations simultaneously and the required research material, including the IS-CHEC technique, meth-ods and results, to enable the research to be replicated has been published in this article and prior articles relating to our work [7]–[9], [11], [45], [46].

IV. IMPLEMENTATION

In this section we present a high-level introduction to the IS-CHEC technique and also the further adaptations that have been made to the technique over the course of the case study.

A. IS-CHEC INTRODUCTION/OVERVIEW

TABLE 1. _{GISAT mapping to the HEART Generic Task Types (GTT) [47].}

expectation that all incidents would be fully closed within a set timeframe although progress was continuously monitored. The five root cause options applied as part of the case study, and their results, can be seen in Tables 2 and 3. As per the process shown in Figure 1, the IS-CHEC technique is only applied where the root cause is identified to be a human error. However, the capturing of all root cause options was useful for the participating organisations in terms of trend analysis.

B. FURTHER ADAPTATION OF IS-CHEC

Over the course of the 12 month case study there were ongo-ing reviews undertaken of the IS-CHEC technique and the impact it was having each month as part of the respective organisations’ incident management meetings. The changes that have been applied to the IS-CHEC technique, as a result of ongoing evaluation throughout the case study since it was last published in literature [8], included the establish-ment of a standard IS-CHEC reporting format, the expansion of the GISATs to include ‘faxing information’ and ‘shar-ing or hand‘shar-ing over information or equipment in person’. Two additional CHECs were introduced for ‘distraction/task interruption’ and ‘time of day’ following a review of the HEART EPCs [14]. A mapping of CHECs to RPMs was also maintained throughout the case study. The CHEC-RPM mapping is located in the Appendix of this paper. Over the course of the study, the list of RPMs was enhanced and modified based upon monthly formal incident man-agement meetings which included a review of all inci-dents and the monthly IS-CHEC report. This was intended to encourage effective selection and application of actions and support a reduction in reported incident volumes. The introduced RPMs, due to incident review with the public sector organisation, were RPM15 (split process and introduce segregation of duties), RPM19 (recover, collect or destroy information or equipment) and RPM20 (reissue or resend information or equipment). In addition, the list of RPMs was evaluated against published literature [48], [49]. This review led to additional RPMs being agreed with the participating

organisations and added to the IS-CHEC technique and also, very importantly, the strength of each RPM being deter-mined. The introduced RPMs, due to literature review, were RPM16 (eliminate or reduce distractions), RPM17 (elimi-nate look-and-sound-alikes) and RPM18 (introduce warn-ings, alerts or alarms). The literature described the strength of each action as strong, medium or weak. However, the public sector organisation was not comfortable reporting on their people applying, or selecting, ‘weak’ actions. Therefore, the strength wording was modified to reflect effectiveness with the 3 indicators being higher effectiveness, moderate effectiveness and lower effectiveness. The review of literature enabled gaps in the IS-CHEC technique actions to be identi-fied and addressed as well as adopting the strength from the published literature. Other modifications, due to the literature review, were RPM5 having the term ‘standardisation’ being added in relation to procedures, tools, systems or practices and RPM8 incorporating audit in addition to assessment.

V. RESULTS

In this section, results are presented in terms of incident volumes and proportions of human error (sub-section A) and association between the total volumes of information security incidents and proportions of human error related incidents (sub-section B). Both are aligned to the IS-CHEC technique and its core components such as root cause, GISAT, CHEC and RPM which are presented as underlying incident themes (sub-section C). We also present the qualitative results of the semi-structured interviews held with key individuals within both organisations (sub-section D).

A. VOLUMES AND PROPORTIONS OF HUMAN ERROR RELATED INFORMATION SECURITY INCIDENTS

TABLE 2. _{Public sector incidents.}

FIGURE 2. _{Public sector incidents and proportions of human error.}

Comparison: The respective participating organisations realised differences in terms of the volumes of reported infor-mation security incidents. The public sector organisation saw an increase in reported incidents from the first month to the last month, whereas the private sector organisation saw a decrease. However, the public sector organisation did realise a reduction in incidents over the last 2 months of the study.

Both organisations recorded the fact that human error related information security incidents accounted for the majority of incidents over the duration of the study and also for every individual month.

B. LINEAR ASSOCIATION BETWEEN THE TOTAL NUMBER OF INCIDENTS AND PROPORTION OF HUMAN

ERROR RELATED INCIDENTS

As outlined within the research method section, we applied Pearson’s Correlation Coefficient to the total numbers of

incidents and the recorded human error related incidents in order to obtain an r coefficient value. The calculations data for both organisations can be seen in Tables23and24within the Appendices.

The statistical analysis undertaken demonstrates a strong association with the public sector organisation having an r coefficient value of 0.975 and the private sector having an r coefficient value of 0.981.

Comparison:The statistical analysis has shown that both participating organisations have a strong, and similar, lin-ear relationship between the total numbers of information security incidents and the proportions of human error related incidents over the 12 month duration of the study.

C. UNDERLYING INCIDENT THEMES

TABLE 3. _{Private sector incidents.}

FIGURE 3. Private sector incidents and proportions of human error.

to establish the underlying details associated with reported incidents. These core components are GISAT, CHEC and RPM.

General Information Security Affecting Tasks (GISAT):

The volumes of GISATs for both organisations can be seen in Table 4. The 16 GISATs are utilised to establish the actual task that was being performed at the time an incident occurred.

Comparison: There was a correlation relating to the types of tasks that were being performed when incidents occurred. Although in a different order, both organisations recorded GISATs 1, 2, 3 and 10 as part of the most com-mon 5 GISATs providing a picture that communicating, edit-ing or filedit-ing confidential or personal data by operational administrative personnel accounted for the vast majority of incidents.

Core Human Error Causes (CHEC):The 42 CHECs and their volumes are presented in Table 5 for the public sector organisation and Table 6 for the private sector organisation. Each time an incident was recorded, the most significant CHEC had to be recorded. The organisations were also required to capture, where appropriate, a second most signif-icant CHEC and a least signifsignif-icant CHEC.

Comparison:Both organisations clearly recorded the same most common CHEC. CHEC 17 accounted for 56% of recorded public sector incidents and 33% of private sec-tor incidents. This presents a view that both organisations detected that a lack of checks on the quality human output and human fallibility was the most common underlying cause of information security incidents.

TABLE 4. _{Public & Private sector GISATs.}

capture at least 1 RPM. However, the organisations were able to capture up to 5 RPMs for each incident. Table 7 presents the total for each RPM captured for all incidents by both organisations and Figures 4 and 5 present the percentages of each RPM effectiveness category as applied.

Comparison: There were some key differences between the two participating organisations in terms of the selection of RPMs and their effectiveness plus the volume of actions per incident. The public sector organisation recorded 254 actions for their 200 recorded human error related information secu-rity incidents. This equates to an average of 1.27 actions for each incident. The private sector organisation recorded 645 actions for their 322 incidents, which equates to an average of 2 actions per incident.

In addition, the public sector organisation RPMs included 9% with an indicated higher effectiveness, whereas 19% of the private sector applied RPMs had a higher effectiveness.

Both the volumes of overall actions in proportion to the number of recorded incidents, and the fact that the private sector organisation applied a greater percentage of RPMs with a higher effectiveness, could have been an influential factor as to why the private sector organisation benefit-ted from a reduction in reporbenefit-ted information security inci-dents, whereas the public sector organisation experienced an increase.

However, there were also similarities with both organisa-tions applying RPM1, 5 and 6 as the most common three RPMs, although in a different order.

D. PARTICIPANT’S IS-CHEC UNDERSTANDING, VIEWS AND OPINIONS

As outlined earlier we undertook semi-structured interviews with participants, which comprised of seven open-ended questions. The question responses were subject to transcrip-tion, coding and thematic analysis using the NVivo version 11 software. The results are presented in Table 8.

Overall the key themes were that greater incident under-standing was obtained relating to overarching incident trends and patterns as well as specific incident details such as the root cause. Another theme was that the undertaken research benefitted both organisations in the form of enhanced buy-in as a result of the used technique, which is uncomplicated, and provides quality reporting which is understandable to all stakeholders and works well.

The most common 20 words from the transcribed inter-views are presented below in Table 9. In terms of themes, the adoption of the IS-CHEC technique provided themes of how it had promoted greater thought in terms of low level incident understanding and acceptance of people and their mistakes, as well as common themes around what causes these mistakes to happen. In addition, both the words ‘actually’ and ‘know’ were commonly spoken providing an indication of greater understanding of the facts relating to incidents.

TABLE 5. _{(Continued.)Public sector CHECs.}

organisations felt the IS-CHEC technique was applicable to an information security setting. This included that no further changes were required to the technique and that the study and use of the IS-CHEC technique had introduced positive benefits including a greater understanding of their incidents, plus the proportions of human error and underlying causes. Other themes included acceptance and acknowledgment that people will make mistakes, they should move away from a blame culture as people are actually well intentioned and want to do a good job and that the organisation should take responsibility for failings. The most prominent themes related to organisational maturity at the beginning of the study, but more importantly how essential organisational buy-in was in order to achieve success.

All seven interviewees explicitly stated that the tool was applicable to an information security implementation. The private sector organisation COO stated: ‘‘It works for us. I don’t know whether that’s because of the type of things we’re doing in terms of the amount of paper and physi-cal manual processing. I think it definitely works for us’’. A theme in the responses was also that the technique provided a simple mechanism to understand the specific details of the incident through the GISAT component and the root cause analysis and that it was applicable to a service provider situa-tion with close working relasitua-tionship with clients. The private sector organisation ISM stated: ‘‘It is a fundamental way of our business working well. Especially, with the nature of our clients and what they want to see’’. In addition, interestingly, it was suggested that the technique should be expanded for all types of incidents and not be restricted to the management of information security incidents only, due to the common element being people and the successful results obtained.

The responses from all seven of the interviewees provided views that they felt no changes were required to the IS-CHEC technique, as it has proved to be simple, understandable and effective. The public sector organisation HoS&IA stated: ‘‘I don’t think the IS-CHEC technique needs to be amended. I think the way it is currently works’’ and the private sector organisation Information Security Incident Analyst stated: ‘‘There are no improvements needed.

TABLE 6. _{(Continued.)Private sector CHECs.}

related to staff error than we ever did before’’. In terms of senior management education, the private sector organisation COO stated: ‘‘I haven’t done this type of technique. I think, it has helped educate me around the level of expectation and the level of risk that’s introduced with lots of human handling around things and to help take that step back and look at what we need to do and what we need to focus on. So, I’ve definitely learned that, because, if this wasn’t done I think we would still be scratching our head around some of this’’.

As a result of the study, all seven interviewees demon-strated a good awareness of incidents, the proportions and effects of human error on the organisation. As expected, the senior managers in both organisations were not aware of the specific IS-CHEC technique component names but were able to express an accurate understanding of human error in terms of holistic views relating to trends, reporting and underlying causes as a result of using the IS-CHEC technique. The public sector HoS&IA demonstrated a con-firmed understanding when a response to one of the questions stated: ‘‘. . . we had an understanding, an idea, that most of our incidents were to do with human error, but we didn’t really have the stats and management information to back that up’’. Whereas the private sector organisation ISM was surprised by the confirmed proportions of human error in one of their responses: ‘‘I was not aware of the high numbers of human error before this work, and it is quite alarming. It is not unsurprising now that we have seen the data, because it is so easy to make a simple mistake’’. Responses also showed a greater understanding of staff culture within respective organisations.

As a result of the enhanced organisational understanding in both organisations, there was an acceptance and acknowl-edgment that people will make mistakes and a need to move

away from a blame culture. As an example of this, the private sector COO stated: ‘‘. . . let’s face facts, people will always make mistakes. So, there will always be an element of human error if you’ve got highly manual processing. So we should accept that that does happen’’. To support this view the public sector organisation interviewees provided a form of empathy with employees of the organisation in that they should not be perceived as intentionally wanting to negatively impact the organisation with the ISM stating: ‘‘What I’ve learned is that people generally want to do a good job. An effective job, in a secure way. They don’t want to be sending individuals’ personal data to the wrong people. The closer understanding of the people that error pertained to showed a desire to operate good security practices with the HoS&IA also stating: ‘‘I think before we engaged in this, I don’t think we believed that staff were really security minded, but, I think, it has opened my eyes that they are. Obviously, not all staff are, but a lot more than what I gave credit for’’.

TABLE 7. _{Public & Private sector RPMs.}

There were a couple of core themes relating to challenges that were raised in the interviews pertaining to initial organ-isational maturity and buy-in. With regard to initial maturity the public sector organisation stated: ‘‘. . . this was not just a step to the next level, but a step up a number of levels to what we were doing’’ and also relating to the position at the end of the study ‘‘. . . this has taken us to the next level. I think, all the reports and MI we are getting, the KPIs we are building from our side now put us on a good foot’’. This shows that the organisation has, despite initial challenges, demonstrated significant progress in terms of incident management matu-rity through the study and use of the IS-CHEC technique. The private sector organisation was felt to already be in a mature position with regard to information security incident management although the ISM did state: ‘‘...we would need good reporting from the outset’’ showing that improvements were needed to realise improvements quicker than experi-enced throughout the study.

TABLE 8. _{Semi-structured interview response codes.}

organisation HoS&IA stated: ‘‘. . . its been difficult in some areas to get across to the staff the importance of why we are doing this. . . once you sit down and you talk through the benefits and start sharing the MI and analysis that we’re getting, then they do understand it’’.

Comparison: The organisations expressed very similar patterns in terms of improved information security incident management maturity and challenges around wider organisa-tional buy-in. The key theme across both organisations was an increased understanding of their respective employees, their

behaviours and challenges and context they work in, which can affect information security posture.

VI. DISCUSSION

A. PRINCIPAL FINDINGS

TABLE 9. _{Semi-Structured Interview Response Word Frequency.}

FIGURE 4. Public sector RPM effectiveness percentages.

information security incidents over the 12 month period was 79% for the public sector organisation and 89% for the private sector of all reported incidents.

A key finding from the independent case study research undertaken in both organisations showed that the volumes of information security incidents and human error and trend

FIGURE 5. Private sector RPM effectiveness percentages.

TABLE 10. _{Incident volumes.}

TABLE 11. Human Error Information Security Incidents by Business Area.

TABLE 12. RPMS by Month.

across the organisation. This is evident in month 1, where 4 incidents were reported and recorded, which was not reflec-tive of the actual organisational position. The adoption of the IS-CHEC technique allowed the public sector organisation to

TABLE 13._{RPMs by Business Area.}

TABLE 14.All RPMs.

TABLE 15.GISAT by Business Area.

focus on capturing incidents and their underlying causes and is now in a much stronger and informed position. The private sector organisation, however, was in a more established and mature position in terms of personnel, systems and organ-isational understanding at the start of the 12 month study. They benefitted from a general trend of decreasing incident volumes over the study period, as well as bettering their understanding on the causes of human error, which continued to account for the majority of incident root causes.

The study, through the use of Pearson’s Correlation Coef-ficient, also established that within both organisations there was a strong linear relationship between the total numbers of recorded information security incidents and the proportions of human error related incidents.

TABLE 16. _{GISAT by Month.}

TABLE 17. Count of Systems or Processes & Nominal Likelihood of Failure.

TABLE 18. _{Most Common Systems or Processes & HEART Nominal}

Likelihood of Failure & Actual Likelihood of Failure.

and respective organisation and was applicable to an infor-mation security setting, although success is dependent upon effective organisational buy-in.

The study provides further evidence that HRA can be used to support retrospective and predictive analysis of informa-tion security [38]. The study also reinforced and demon-strated views expressed in that the main cause of information security incidents relates to an organisation’s employees [29]. The case study also presents data supporting an argument against the low proportions of human factor root causes of incidents and breaches presented in literature [26], [50].

TABLE 19._{Systems or Processes by Business Area.}

TABLE 20.Most Significant CHECs.

TABLE 21.Total CHECs.

B. IMPLICATIONS OF THE FINDINGS

The research provides solid evidence that the information security field would benefit from the formal development and application of HRA techniques, such as IS-CHEC, to address the issue of human error and its information security impact which is not currently the case. HRA is established within the safety field, and the information security field would benefit from these methods too as a common denominator is the people that are an integral component of both.

C. LIMITATIONS OF THE METHOD

TABLE 22. _{(Continued.)Mapping of CHECs to RPMs.}

TABLE 23. Public Sector Organisation Correlation Data.

expected with an average of 37% public sector incidents having their expected root cause analysis completed within the 5-day expectation and 71.5% for the private sector organ-isation. Also public sector reported incidents on average were open for 49.3 working days before they were closed and the private sector organisation for 40.5 working days. This impacted upon the speed of selection and implementation of RPMs, but also resulted in the monthly IS-CHEC reports containing incomplete information, which were required to enable strategic action to be taken. It was also found that the time duration from incident reporting to incident closure did not happen quickly, which again added delay to experiencing

the intended organisational benefits, such as a reduction in incident volumes.

TABLE 24. _{Private Sector Organisation Correlation Data.}

also included newly recruited information security personnel. In addition, the public sector organisation in particular strug-gled to obtain buy-in and collaboration from the wider busi-ness areas to enable incidents to be processed as quickly as desired.

As this research was applied to two independent public and private sector organisations, the findings are felt to be generally applicable to organisations outside of this research that undertake large amounts of manual processing of per-sonal or confidential information. This is due to the com-mon element being people and their behaviour, which is at the core of all organisations. However, as both participating organisations provide healthcare services, there is a potential limitation of the research in that the captured results could present a bias towards the healthcare sector and associated services.

VII. CONCLUSION AND FUTURE WORK

The research found that within the participating organisations the common tasks that were being performed and associ-ated with incidents were administrative tasks, which relassoci-ated to the communication, editing or storage of confidential or personal information. The research also established that the

most common cause of human error related information secu-rity incidents was a lack of checking to detect and protect against human fallibility. It was also notable that in both organisations the most common RPM was RPM1 – Aware-ness and training undertaken (including 1:1), which has a lower effectiveness due to the fact that it relies upon memory to prevent a reoccurrence [49]. It was also noticeable that the private sector organisation was willing to apply more remedial and preventative measures to address human error, and, in particular, difficult measures that attract a higher effectiveness were successful in benefiting from a clear and recognisable reduction in both human error and overall infor-mation security incidents.

related incidents. This provides a view that the IS-CHEC technique was successful in providing benefit through increased understanding of human error risk exposure for the participating organisations and either reduced or reducing incident volumes following a peak, which coincided with organisational awareness and understanding campaigns. However, the fact remains that a common characteristic of a human being is that we will make mistakes and organisations should formally adopt HRA techniques, such as IS-CHEC, to address this fact.

APPENDICES

A. IS-CHEC REPORT TEMPLATE

Introduction Executive Summary

Human Error Information Security Incidents Reporting Period

See Tables 10–21.

B. CHEC AND RPM MAPPING

Remedial and preventative measures (RPM) were selected and applied according to the identified Core Human Error Causes (CHEC). A mapping of CHECs and RPMs can be found in Table 22 below to aid selection of consistent and effective controls.

C. PEARSON’S CORRELATION COEFFICIENT DATA

See Tables 23 and 24.

ACKNOWLEDGMENT

The authors thank the editors and the anonymous reviewers for their constructive comments. The funder had no role in study design, data collection and analysis, decision to pub-lish or preparation of the manuscript.

REFERENCES

[1] Information Security Management Systems—Requirements, Standard ISO/IEC 27001, BSI, 2013.

[2] Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS), Version 3.2, PCI Security Standards Council, Wakefield, MA USA, 2016.

[3] NHS Digital. (2019). Data Security and Protection Toolkit. Accessed: Jan. 26, 2019. [Online]. Available: https://www.dsptoolkit. nhs.uk/

[4] D. Gertman, ‘‘Part 3: Cyber security and risk assessment?: HRA where art thou?’’ Tech. Rep., 2013.

[5] C. C. Wood and W. W. Banks, Jr., ‘‘Human error: An overlooked but significant information security problem,’’Comput. Secur., vol. 12, no. 1, pp. 51–60, Feb. 1993.

[6] J. Bell and J. Holroyd, ‘‘Review of human reliability assessment methods,’’ Health Saf. Lab., p. 78, 2009.

[7] M. Evans, Y. He, I. Yevseyeva, and H. Janicke, ‘‘Analysis of published public sector information security incidents and breaches to establish the proportions of human error,’’ inProc. 12th Int. Conf. Hum. Aspects Inf. Secur. Assurance (HAISA), 2018, pp. 911–921.

[8] M. Evans, Y. He, L. Maglaras, I. Yevseyeva, and H. Janicke, ‘‘Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector,’’Int. J. Med. Inform., vol. 127, pp. 109–119, Jul. 2019.

[9] M. Evans, Y. He, L. Maglaras, and H. Janicke, ‘‘HEART-IS: A novel tech-nique for evaluating human error-related information security incidents,’’ Comput. Secur., vol. 80, pp. 74–89, Jan. 2019.

[10] J. T. Reason,Human Error. Cambridge, U.K.: Cambridge Univ. Press, 1990.

[11] M. Evans, Y. He, C. Luo, I. Yevseyeva, H. Janicke, and L. A. Maglaras, ‘‘Employee perspective on information security related human error in healthcare: Proactive use of IS-CHEC in questionnaire form,’’ IEEE Access, vol. 7, pp. 102087–102101, 2019.

[12] F. T. Chandler, Y. H. J. Chang, A. Mosleh, J. L. Marble, R. L. Boring, and D. Gertman, ‘‘Human reliability analysis methods: Selection guidance for NASA,’’ NASA, Washington, DC, USA, Jul. 2006, p. 175.

[13] L. Johannesen, N. Sarter, and R. Cook,Behind Human Error. ProQuest Ebook Central, 2010.

[14] J. C. Williams and J. L. Bell, ‘‘Consolidation of the error producing conditions used in the human error assessment and reduction technique (heart),’’Saf. Rel., vol. 35, no. 3, pp. 26–76, Dec. 2015.

[15] A. Y. Connolly, M. Lang, J. Gathegi, and D. J. Tygar, ‘‘The effect of organ-isational culture on employee security behaviour: A qualitative study,’’ in The Effect of Organisational Culture on Employee Security Behaviour: A Qualitative Study. 2016, pp. 33–44.

[16] M. Alaskar, S. Vodanovich, and K. N. Shen, ‘‘Evolvement of informa-tion security research on employees’ behavior: A systematic review and future direction,’’ inProc. 48th Hawaii Int. Conf. Syst. Sci., Jan. 2015, pp. 4241–4250.

[17] A. Alhogail and A. Al Hogail, ‘‘Cultivating and assessing an organizational information security culture; An empirical study analyzing human factors and change management principles toward building information security culture view project cultivating and assessing an organizational informa-tion security culture; An empirical study,’’Artic. Int. J. Secur. Appl., vol. 9, no. 7, pp. 163–178, 2015.

[18] P. Mayer, A. Kunz, and M. Volkamer, ‘‘Reliable behavioural factors in the information security context,’’ inProc. 12th Int. Conf. Availability, Rel. Secur. (ARES), 2017, pp. 1–10.

[19] K. Helkala, ‘‘Supporting the human in cyber defence,’’ inComputer Secu-rity. Cham, Switzerland: Springer, 2018, pp. 147–162.

[20] E. Metalidou, C. Marinagi, P. Trivellas, N. Eberhagen, C. Skourlas, and G. Giannakopoulos, ‘‘The human factor of information security: Unin-tentional damage perspective,’’Procedia-Social Behav. Sci., vol. 147, pp. 424–428, Aug. 2014.

[21] H. Stewart and J. Jürjens, ‘‘Information security management and the human aspect in organizations,’’ Inf. Comput. Secur., vol. 25, no. 5, pp. 494–534, Nov. 2017.

[22] R. Alavi, S. Islam, and H. Mouratidis, ‘‘An information security risk-driven investment model for analysing human factors,’’Inf. Comput. Secur., vol. 24, no. 2, pp. 205–227, Jun. 2016.

[23] T. Asai and A. U. Hakizabera, ‘‘Human-related problems of information security in East African cross-cultural environments,’’Inf. Manage. Com-put. Secur., vol. 18, no. 5, pp. 328–338, Nov. 2010.

[24] R. Klahr, J. N. Shah, P. Sheriffs, T. Rossington, and G. Pestell, ‘‘Cyber security breaches survey 2017: Main report,’’ Tech. Rep., 2017.

[25] A. da Veiga and N. Martins, ‘‘Improving the information security culture through monitoring and implementation actions illustrated through a case study,’’Comput. Secur., vol. 49, pp. 162–176, Mar. 2015.

[26] I. Hwang, D. Kim, T. Kim, and S. Kim, ‘‘Why not comply with informa-tion security? An empirical approach for the causes of non-compliance,’’ Online Inf. Rev., vol. 41, no. 1, pp. 2–18, Feb. 2017.

[27] L. A. Maglaras, G. Drivas, K. Noou, and S. Rallis, ‘‘NIS directive: The case of Greece,’’ ICST Trans. Secur. Saf., vol. 4, no. 14, p. e1, 2018.

[28] E. D. Frangopoulos, M. M. Eloff, and L. M. Venter, ‘‘Human aspects of information assurance: A questionnaire-based quantitative approach to assessment,’’ inProc. HAISA, 2014, pp. 217–229.

[29] S. Choi, J. T. Martins, and I. Bernik, ‘‘Information security: Listening to the perspective of organisational insiders,’’J. Inf. Sci., vol. 44, no. 6, pp. 752–767, Jan. 2018.

[30] J. Rajamäki, J. Nevmerzhitskaya, and C. Virág, ‘‘Cybersecurity educa-tion and training in hospitals: Proactive resilience educaeduca-tional framework (Prosilience EF),’’ inProc. IEEE Global Eng. Educ. Conf. (EDUCON), Apr. 2018, pp. 2042–2046.

[31] J. Braband and H. Schäbe, ‘‘Probability and security—Pitfalls and chances,’’Saf. Rel., vol. 36, no. 1, pp. 3–12, Jan. 2016.

[33] M. M. Yusof, J. Kuljis, A. Papazafeiropoulou, and L. K. Stergioulas, ‘‘An evaluation framework for health information systems: Human, orga-nization and technology-fit factors (HOT-fit),’’Int. J. Med. Inform., vol. 77, no. 6, pp. 386–398, Jun. 2008.

[34] J. Burleigh and M. Greenfield, ‘‘Directorate/programme NHS digital exter-nal IG delivery project IG incident reporting document reference project manager status final owner annual information governance (IG) incident trends (2015–2016),’’ Tech. Rep., 2015.

[35] R. Khajouei, R. Abbasi, and M. Mirzaee, ‘‘Errors and causes of commu-nication failures from hospital information systems to electronic health record: A record-review study,’’Int. J. Med. Inform., vol. 119, pp. 47–53, Nov. 2018.

[36] P. C. Cacciabue and G. Vella, ‘‘Human factors engineering in healthcare systems: The problem of human error and accident management,’’Int. J. Med. Inform., vol. 79, no. 4, pp. e1–e17, Apr. 2010.

[37] S. M. Furnell, N. Clarke, and D. Lacey, ‘‘Understanding and transforming organizational security culture,’’Inf. Manage. Comput. Secur., vol. 18, no. 1, pp. 4–13, Mar. 2010.

[38] M. Kyriakidis, V. Kant, S. Amir, and V. N. Dang, ‘‘Understanding human performance in sociotechnical systems—Steps towards a generic frame-work,’’Saf. Sci., vol. 107, pp. 202–215, Aug. 2018.

[39] R. Davison, M. G. Martinsons, and N. Kock, ‘‘Principles of canonical action research,’’Inf. Syst. J., vol. 14, no. 1, pp. 65–86, 2004.

[40] K. Olesen and M. D. Myers, ‘‘Trying to improve communication and collaboration with information technology: An action research project which failed,’’Inf. Technol. People, vol. 12, no. 4, pp. 317–332, 1999. [41] R. Taylor, ‘‘Interpretation of the correlation coefficient: A basic review,’’

J. Diagnostic Med. Sonogr., vol. 6, no. 1, pp. 35–39, Jan. 1990. [42] M. Gibbert, W. Ruigrok, and B. Wicki, ‘‘What passes as a rigorous case

study?’’Strategic Manage. J., vol. 29, no. 13, pp. 1465–1474, Dec. 2008. [43] A. M. Riege, ‘‘Validity and reliability tests in case study research: A lit-erature review with ‘hands-on’ applications for each research phase,’’ Qualitative Market Res., Int. J., vol. 6, no. 2, pp. 75–86, Jun. 2003. [44] J. M. Morse, M. Barrett, M. Mayan, K. Olson, and J. Spiers, ‘‘Verification

strategies for establishing reliability and validity in qualitative research,’’ Int. J. Qualitative Methods, vol. 1, no. 2, pp. 13–22, Jun. 2002. [45] M. Evans, L. A. Maglaras, Y. He, and H. Janicke, ‘‘Human behaviour as an

aspect of cybersecurity assurance,’’Secur. Commun. Netw., vol. 9, no. 17, pp. 4667–4679, Nov. 2016.

[46] M. Evans, Y. He, I. Yevseyeva, and H. Janicke, ‘‘Published incidents and their proportions of human error,’’Inf. Comput. Secur., vol. 27, no. 3, pp. 343–357, 2019.

[47] J. C. Williams, ‘‘A user manual for the heart human reliability assessment method,’’ DNV Technica, Oslo, Norway, Tech. Rep., 1992.

[48] National Patient Safety Foundation. (Jan. 2015).RCA Improving Root Cause Analyses and Actions to Prevent Harm. [Online]. Available: https://Www.Npsf.Org

[49] P. D. Hibbert, M. J. W. Thomas, A. Deakin, W. B. Runciman, J. Braithwaite, S. Lomax, J. Prescott, G. Gorrie, A. Szczygielski, T. Surwald, and C. Fraser, ‘‘Are root cause analyses recommendations effective and sustainable? An observational study,’’Int. J. Qual. Health Care, vol. 30, no. 2, pp. 124–131, Mar. 2018.

[50] Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview, Ponemon Inst., Traverse City, MI, USA, 2017.

MARK EVANS is currently pursuing the Ph.D. degree in information security with De Montfort University. He is also an information security pro-fessional with over 15 years experience. He has experience in designing and implementing infor-mation security management systems and frame-works within private and public sector organiza-tions across the world. He has helped a number of organizations to understand and address their information security risks and weaknesses ranging from technical cyber security through to human factors and behavior. His current research interest includes the human factors of information security with a specific focus on human error.

YING HEreceived the Ph.D. degree in computer science from Glasgow University, U.K. She is cur-rently a Senior Lecturer of computer science with the School of Computer Science and Informatics, De Montfort University, U.K. Her current research interests include cyber threat intelligence, security risk management, decision-making, business ana-lytics, control systems architecture, and human’s aspects of security. She also works on how secu-rity management frameworks can be applied in different industries, such as healthcare and finance.

CUNJIN LUOreceived the Ph.D. degree in com-puter science from the Harbin Institute of Technol-ogy (HIT), China. He has also been a joint Ph.D. Student with The University of Manchester. He is currently an Associate Professor with the Key Lab-oratory of Medical Electrophysiology, Ministry of Education, Southwest Medical University, China. He is also an Associate Professor with the School of Computer Science and Engineering, Northeast-ern University, China. His current research inter-ests include healthcare informatics, cardiac electrophysiology, and medical data analytics. He received the National Natural Science Foundation of China (NSFC) Grant on computer modeling and healthcare diagnosis, and an anti-poverty project in the sustainability of health and wellbeing.

IRYNA YEVSEYEVA was a leading Research Associate in Choice Architecture for Information Security (ChAISe) Project with Newcastle Uni-versity, U.K., a part of first Research Institute on Science of Cyber Security (RISCS), where she was involved in models of influencing secu-rity behaviors. She has been a Senior Lecturer in computing science and cyber security with the Faculty of Technology, De Montfort Univer-sity, Leicester, U.K., since 2016, where she is a member of Cyber Technology Institute. Her current research interests include multicriteria decision analysis and optimization and their application in various domains, including security, manufacturing, health care, and chemoinformatics.

EFPRAXIA ZAMANI received the Ph.D. degree from the Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece. She is currently a Senior Lecturer of information systems with the University of Sheffield. Her current research interests include intersection of organizational and social aspects of information systems, with an emphasis on postadoption user behavior, enter-prise information systems, and blockchain appli-cations. Her work has been presented in numerous journals, such as the Journal of Information Technology,Government Information Quarterlyand theInternational Journal of Electronic Commerce.